The UK government has released its annual Cyber Security Breaches study which unveils 43% of businesses and 28% of charities experienced cyber attacks in the last year. In response to the findings, experts at Talion, Converged and Barrier Networks give their thoughts.
Keven Knight, CEO, Talion:
“The Cyber Breaches Study highlights some interesting trends across the UK’s security landscape.
Firstly, the volume of breaches organisations face appears to be similar to the numbers from last year. This doesn’t mean attacker activity is declining, it suggests organisations are becoming more aware of cyber crime and doing more to improve their defences.
However, even despite this, there remain some concerning gaps within defences.
The two biggest red flags from the study centre on AI adoption and poor supply chain security. If organisations are not validating the security of their supply chain, they risk leaving their own environments wide open to attack.
This is something the UK government is concerned about and the introduction of the recent Cyber Pledge will aim to tackle weaknesses in supply chain security, but organisations have a big part to play.
When it comes to AI adoption, it seems organisations are bringing AI into their environments, but only a small proportion are ensuring their security posture covers those deployments.
This is a big concern and organisations must stop viewing AI as platforms purely developed for convenience and productivity.
With employees regularly inputting sensitive information into AI applications, they must be governed and secured in the same way as other sensitive SaaS platforms.”
Graeme Gordon, CEO, Converged Solutions Group:
“This survey highlights that UK organisations are under continued threat of attack, with the largest facing the greatest risks.
According to the figures, utilities are one of the worst hit sectors, with 49% suffering breaches. This isn’t surprising. It also aligns with last year’s data from Zscaler which highlighted that oil and gas faced a 935% year-over-year spike in ransomware attacks.
The study points out that only 5% of UK businesses currently have Cyber Essentials accreditation. While this is an increase on the 3% from last year, uptake of the certification is worryingly low.
While the study does say 24% of businesses reported having the technical controls associated with Cyber Essentials, we shouldn’t get too optimistic about these claims.
Unless organisations have their cyber security posture audited by experts, they can never be fully confident in the effectiveness of their controls, or whether they are doing enough to protect their assets.
This is a big risk because the worst time to find out your security controls are ineffective is when dealing with a live incident.
The government is clearly trying to promote the uptake of Cyber Essentials and organisations should take this advice seriously.
With cyber attack levels increasing, organisations must do all they can to protect their environments. Getting the basics right is the best place to start.”
Euan Carswell, SOC Team Lead, Barrier Networks:
“The study highlights that 49% of utilities organisations faced attacks in the last year, but only 33% have board members or trustees responsible for cyber. This is a concerning gap.
Manufacturers, like JLR, are grouped into this category in the study and no one needs a reminder about the scale, consequences and financial impact of that attack.
Cyber needs to be governed at the board level, where risk appetite, and reduction, is decided from the top down.
It is not an IT issue, it is a business wide risk and in the very worst scenario it has the power to shutter an organisation. This is not a threat that IT can be responsible for.
With phishing being the primary cause behind most breaches, it is also concerning that only 20% of organisations are routinely training their staff.
When it comes to phishing, employees are the number one line of defence and organisations will be leaving themselves exposed if they don’t prioritise awareness training.
This must happen at every level, because executives are often the key targets of these scams, and when they fall victim the losses can be significant.
Many of the attacks over the last couple of years have been executed via phishing, so organisations cannot overlook these attacks and naively believe employees will be able to detect the scams.
With advances in AI, phishing is becoming highly challenging to detect so employees must be trained on all the varying forms these scams can take today.”
Read the government study, here
For more cybersecurity news, click here
